Over the past two months we’ve had the pleasure of interviewing an international panel of cyber security experts for our podcast on IoT threats. Ethical hackers, security vendors, PhD students and professors shared their thoughts on the promises of IoT as well as the challenges of an expanding surface attack. At the end of each interview, we asked the interviewees to provide cyber hygiene heuristics that the average smart home user can implement. These practices won’t make you immune against cyber threats if the NSA or FSB want to hack your computer though –they will overcome all these simple procedures to attack you, but they will mitigate attacks by less skilled actors. What follows is a summary of the top four answers, we hope you enjoy the tips and also implement them!

 

Research: Is the device manufacturer a reliable company? Do they take security seriously? Can the device be found via services like Shodan?
Avoid connecting insecure devices into your network, and always ask yourself: what would be the worst-case scenario if this device gets hacked? And act accordingly.

Segment: If a smart thing in your network is compromised, an attacker can access your entire network and cause harm; avoid this by connecting your IoT devices to a different network (vLAN) than the rest of the computers. This may require some extra hard work if you do not have the Netonomy agent installed, or a security-focused router, but it is not impossible to do and this DIY guide can help.

Password: This should be obvious, yet default passwords are the leading cause of hacked IoT devices, because default credentials are basically publicly available information. So if you haven’t yet changed some default credentials, reset your device and immediately proceed to create a strong and original password.

Update: Pretty self-explanatory. Check periodically if any of your connected devices have a firmware update or security patch release, failure to do so will leave you exposed to known vulnerabilities which can be exploited by malicious actors.

Beyond these basic cyber hygiene practices, it becomes really hard for consumers without technical knowledge to do much more, which is kind of scary. Fortunately, Netonomy’s solution is being implemented across different routers and ISPs to seamlessly bring security and control to home networks, which is the best hope we have to deal with IoT cyber threats today.

 

Tune in every Wednesday for more cyber hygiene tips you can implement in your network!

 

 

For this week’s IoT cyber security and cyber hygiene interview, we had the pleasure of interviewing Aditya Gupta, the founder of Attify -a global leader in IoT pentesting and security training, with learning kits and hardware for IoT exploitation for sale at their store. Gupta has spoken and taught classes at a number of security conferences (BlackHat, Def Con, OWASP AppSec, Syscan, Toorcon) and at private training engagements for organizations worldwide.

This interview is <15 minutes, feel free to listen to it below or go ahead and read the edit. Enjoy!

Do you live in a connected home, with 9 or more devices connected?
When I was getting started with IoT security, I had a couple of IoT devices in my home, but I started removing them from my network as I realized how open and insecure they are. You can’t live in a home where you have a lot of vulnerable devices that can invade your privacy.
Now I have like 3 devices that have been extremely vetted and the security is pretty strong.

What led you to create Attify?
I started Attify around 5 years ago, with the initial plan being to help companies secure their mobile applications – which was pretty big back then. But as we evolved further, we realized that IoT was going to be a real beast, with tons of extremely insecure devices. My academic background was on electronics and telecommunications, focusing on how hardware embedded devices and communications work, and doing research on hardware security. Based on that experience, we started our IoT security offering, figuring out different IoT security threats and later offering a training course called Offensive IoT Exploitation to help people figure out how to assess or find vulnerabilities on their own IoT devices.
There are tons of materials available online for people getting started in any generalized topic of security, from blogs to tutorial videos and trainings. But two or three years ago there was not a lot of content available online for those interested in learning IoT security, and that’s why we created a systematic and methodological approach to learn IoT security in an intensive 3 or 5 day class.

In addition to creating great content, Attify sells IoT hacking tools and learning kits for researchers and makers… is this a shift in the company to focus on training the next generation of information security professionals over consulting?
There is definitely a huge need of awareness in terms of IoT security for all companies interacting with IoT devices; they definitely need IoT security education. I would say that we are gradually focusing more on the training aspect of the business, because that is where the entire industry is paying more attention to, they want to learn how to figure out the security issues in these kinds of devices.

Tell us a bit about The IoT Hackers Handbook, who is the book written for?
The book was written for anyone who wants to get started with IoT security with absolutely no previous background in it, giving them an in-depth introduction to each of the various IoT components.

Good cyber hygiene practice recommendations: What can users that have smart things do to stay protected?
This is pretty much the need of the time now because a lot of consumers are introducing so many new devices, but there are not that many things that consumers can do at this point to secure themselves from IoT security threats, which is kind of scary. But there are definitely a few steps which they can take to make themselves secure:

  • Network segmentation: making sure that the new IoT devices are in a different network.
  • Making sure the new IoT device does not have any public vulnerability online, which anyone can look up and attack your device.
  • Making sure that the company making the device is proactive when it comes to security.
  • Invest in solutions that can help analyze and monitor the home network traffic (i.e. Netonomy) and alert you when something wrong is going on.

If you have some technical background, its always good to do some research on the device before introducing it home. This is something I always do, even though it takes a lot of time, you get the assurance that your device is not recording or spying on you.
If you are a company, its always good to have an internal pentest before introducing a connected device, smart coffee machines can leak your WiFi credentials. We have to wake up and smell the coffee; I’ve seen so many IoT devices leaking sensible information. And it’s going to get much worse unless enough attention is paid to these kind of device in the future.

For this week’s podcast we had the honor of interviewing none other than Ted Harrington, executive partner at Independent Security Evaluators (ISE) – security researchers and consultants widely known for being the first company to hack the iPhone. Ted drives thought leadership initiatives at ISE and is one of the organizers of IoT Village, the popular new hacking concept focused on connected devices, he is also an`organizer of SOHOpelessly Broken, the first ever router hacking contest at esteemed security conference DEF CON.

We recommend you visit their website and check out their amazing “knowledge” center, full of great case studies, papers/publications, presentations and an updated blog. This interview is ~15 minutes, feel free to listen to it below or go ahead and read the edit. Enjoy!

Would you say you live in a connected home, with 9 or more connected devices?
I would say pretty much everybody does, because when you start talking about routers, laptops, smart phones, wearables…things of that nature, it all adds up pretty quickly. So even people that would not consider themselves to be in a smart home, would definitely qualify as living in a connected home.

What percentage of connected devices would you say are vulnerable to hacking, is it all of them?
One should never make generalizations about anything. But what we’ve seen through our security research and assessment practices, as well as the events that we’ve organized, is that security flaws really are systemic across the connected device industry. The data suggests that these security issues aren’t necessarily relegated to a particular device type -it’s not just that light bulbs are a problem, it’s basically all of the devices that we have been looking at through different channels. And we’ve also seen it across pretty much all of the manufacturers that we’ve looked at, from large enterprises to small startups that people haven’t heard of yet.

In brief, it would probably be irresponsible to say that all devices in the connected home are vulnerable. But the research has shown that, in the current market, many connected devices really do have some security challenges to them. The likelihood is high that one or more devices in a given home have some security vulnerabilities.

Why do you think this is the current situation?
I believe it’s primarily due to market forces. When you think about the evolution of any technology that is transformative, you see a similar trend.

In the first stage, someone innovates – the idea of making traditionally analogue devices to communicate, and spawns a movement. That creates the second stage, where there’s a rush to the market, and companies provide solutions because the marketplace is thirsty for the solution. So it’s truly driven by economic factors, because people want to buy these things, and companies will supply these things. That rush is so powerful right now that it is really omitting security in many cases as part of it. That’s not to say it’s true in all cases, and I do want to make that point really clear, there definitely are connected device companies taking security very seriously, doing a great job at it. But in the aggregate, most are really rushing to market without adequate security to supply solutions to satiate demand.

Do you expect this trend to continue?
I think it will get worse before it gets better. Eventually I think things will get better because of this progression that I was describing before, when transformative technologies are introduced. And there’s a third stage. The first stage is the innovation that creates an explosion that creates a marketplace, the second stage is the rush into the market where solutions are introduced and security is not a development priority, and the third stage (which is a very long stage) is where security experts eventually get their message hammered into the operating principles of the companies in these marketplaces, and they start to implement security. Overtime the marketplace overall gets to a place where it has a much better security posture.

However, that takes a really long time to happen. We are in a rocket ship of adaption right now, more and more companies and people are going to buy more and more connected devices, more and more different types of things are going to start having connectivity to them where they might previously not have had, and that’s going to lead to a very expanded attack surface. Meaning, there are just going to be more and more ways for attackers to attack whatever it is that they are trying to go after. And we’re going to have to go through that, unfortunately, before the marketplace really starts to shift. So it will get better, I hope, but it’s going to get worse before it gets better.

A great initiative by Independent Security Evaluators (ISE) to increase cyber awareness is the IoT Village event, could you tell us a bit about that?
Security research conferences have what’s known as a village concept, which basically focus on different topics to get security researchers focused on an issue. We’ve been working with DEFCON for a few years now to organize the IoT Village, and we take it beyond DEFCON to a number of conferences throughout the US, and are in discussions right now to bring it to a few places around the world (Tel-Aviv coming soon). What we do at IoT Village is to try and get together a number of security researchers and manufacturers and really collaborate on these security issues that we are seeing. We have security researchers come and present research that they are publishing, have contests where we buy a bunch of devices and we say: ok everyone, let’s hack away at these and lets find some vulnerabilities, and we’ll do contests of a more traditional Capture-the-Flag style. Basically what we are really doing is shining a spotlight on cybersecurity as an important topic in this tech domain, which is IoT. And then, of course, we work with our friends in the press and media to publish it so that we can hopefully be that catalyst for change to shorten the lifecycle from where we are today, to that future [3rd] stage where hopefully we’ll be in a more secure and resilient posture.

You also organize SOHOpelessly broken, were the focus is router security
Yes, SOHOpelessly broken was the first router hacking contest ever at DEFCON, and it actually spawned out of some router hacking research that we had done immediately prior to that. SOHOpelessly broken has grown in its scope to cover other connected devices, but its root is around router hacking. We have a paper that we published that’s available as a free download from our website and it analyzes the research that we did that was the impetus for SOHOpelessly broken. Basically, we looked at all of the major popular SOHO routers and tried to see whether they were vulnerable to remote and/or local attack, and we found that every single router that we looked at was vulnerable to at least one of the two. It was about 56 different security vulnerabilities across thirteen different router models. So SOHOpelessly broken is now getting a community of people to poke at routers and other devices, and it usually runs right alongside the IoT village.

What are some heuristics you would give to the average consumer when it comes to network security?

First and foremost: Change the default passwords.
When you get a router, either from your ISP or your own, it’s going to come with default credentials which are usually pretty basic – and even if they look complex, you want to change those passwords, because those default credentials are basically publically available information. All someone has to do us is a quick Google search and they can know based on a given model what the default credentials are. There’s a tool known as SHODAN, which is a search engine for connected devices, so an attacker can just research and find these devices online, and by knowing the default credentials, can start attempting to use those and in a huge percentage of cases they’ll be successful because people don’t change the default passwords.

That’s actually how the Mirai botnet was successful last fall, by exploiting the fact that people don’t really change default passwords. So first and foremost: change the default credentials, because it’s basically like not having a password if you don’t.

Next would be really thinking about the need for certain elements of connectivity. I do not mean to say that someone should not adapt these emerging solutions. I’m a huge advocate of were IoT is going, I want to have connectivity in all kinds of things. But when you are buying a device, it’s important to think if you are buying it for the purposes of its connectivity, because otherwise…that would be a case where you might want to think: do you need the connected version of this?

If you are not actually going to benefit from the connectivity, all that you are doing is introducing new ways to be attacked, without capturing any of the benefit.

 

We are honored to inaugurate our weekly podcast with Andrew Tierney, a consultant at PenTestPartners, one of the world’s leading authorities on IT security consulting and penetration testing. They don’t just test and break systems, they go after what’s really important to protect: data. They test how long it would take to get valuable data and how quickly the systems and people can spot the attack -giving clients a true measure of how effective their security is, and where it needs work. If you are not familiar with PenTestPartners, we recommend you visit their website and check out their amazing weekly content on cybersecurity. This interview is <15 minutes, feel free to listen to it below or go ahead and read the edit. Enjoy!

Do you live in a connected home with 9 or more connected devices?Certainly, but the number of them that would classify as IoT devices is fairly low… over the last few years I’ve reduced the amount of devices connected to the network, largely due to my probing and poking, and starting to trust them less and less.

Interesting! So you are concerned about the expanding threat landscape in connected homes?
My primary concern is that consumers (and I put myself in that group) don’t understand what these devices are doing. We can’t just pick up a device and understand how it operates, what risks it places you at by putting it in your network. Even if you have other controls in place, like segregated networks and firewalls, you are still not truly sure what that device is doing. We just don’t have the time to look at everything we buy to work out if it’s secure or not, and what we’ve learned by performing tests across different devices is that, generally, there will be some security problems.

Could you take a random guess, based on your experience, of what percentage of IoT devices out there are vulnerable to hacking?
Given enough time and effort you’d probably be able to break into any device. If you got Mossad after you, any IoT device will present a risk to you. But if you are a general consumer considering what devices will put you at risk, I’d say around 50% of the devices we have looked at had very serious security problems in them. It’s a scary proportion.

Why do some companies perform their cyber security due diligence and others don’t?
I wish we knew the answer to that. I think it’s about the motivation within companies to research IoT security and the impact it can have. One of the problems we see very often is that companies don’t budget (in time or money) for security in projects; they feel [security] is like a bolt-on that you get for free, so it does not get put into the system and they end up with an insecure product.

So this cyber security challenge is an opportunity for organizations like PenTestPartners to consult with clients and companies like Netonomy to provide network security. Do you think there are other market entrants that could address this problem?
What we’d like to see are guidelines, frameworks and standards allowing companies to do the basics of security, so when they come to us for Pen Testing, or start using a third party system to improve security, they’ve already covered the basics to minimize the system.

What are the most common penetration methods you’ve used that succeed in breaking a device?
It’s quite hard to group them into the most common ways, but I’d say the primary cause of breaking into devices is not minimizing the system: default development passwords, telnet FTP web services and open ports. When it comes to cloud services, they often don’t validate the device’s identity, so we can pretend to be another device and access data that we shouldn’t be able to. There is no one method in penetration testing to compromise all devices connected to the cloud, pentesting is time restricted, so we may not be able to compromise everything, but we might find lots of little problems along the way, and it’s really key that vendors fix them to prevent them being chained together and become really big problems.

Do you feel that the risks moving from the cyber realm into the physical are increasing?
Certainly. We are starting to see IoT impacting the real world. One of the most common products in the UK is an IoT thermostat, and one might not think that has much of an impact, but if you control 100,000 heaters and turn them on or off at the same time, you can have an impact in the electrical grid or the gas distribution network. But IoT is moving into other physical areas, we’ve seen over the last few years significant vulnerabilities found in cars, defibrillators and pace makers, SCADA systems, and more. I think over the coming years we are actually going to see more and more attacks that take impact in the real world.

What can the consumer do when it comes to cyber hygiene, do you have any heuristics concerning IoT?
The first thing is to vet the devices you bring to the network, look at the company: do they take security seriously? Don’t bring insecure devices into your network. The second thing is not to treat your network as a safe space, companies and homes alike often fail to do this, and if a device in the network is compromised an attacker can access your data and change things like the configurations in your router. Beyond that, it becomes really difficult to give advise to the consumer, it’s very hard for them to judge if they are putting themselves at risk – they don’t have the insights or technical knowledge to dot it. Whenever I run IoT devices, they are on a completely distinct network (vLAN) from the rest of my computers, completely distinct WIFI network…but all these things are very difficult for the consumer to put in place. We are seeing dedicated routers coming out that allow users to put these functionalities in place to protect themselves and I think that’s probably the way we are going to see IoT security go in the near future.